CVE-2026-34216 Ctrlpanel-gg CVE debrief

Who should care

Organizations running CtrlPanel hosting billing software versions ≤1.1.1 with administrative access exposed to untrusted users or compromised admin credentials.

Technical summary

The vulnerability exists in the admin settings update endpoint where user-supplied input for `settings_class` is passed directly to `new $settings_class()` and `$settings_class::getValidations()` without allowlist validation. Because PHP resolves class names against the Composer autoloader at runtime, any autoloadable class—including those in dependencies—can be instantiated. This enables authenticated administrators to trigger unintended constructor or magic method execution (`__construct`, `__toString`, `__wakeup`), following a PHP object injection/gadget chain pattern to achieve remote code execution. The attack requires high privileges (admin) and has high attack complexity due to the need to identify exploitable classes in the dependency tree.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade CtrlPanel to version 1.2.0 or later immediately.
• Restrict admin panel access to trusted IP ranges and enforce MFA for administrative accounts.
• Audit application logs for unexpected class instantiation attempts or settings_class parameter manipulation.
• Review Composer dependency tree for classes with dangerous constructors or magic methods that could facilitate gadget chains.
• Implement additional input validation at the application layer to restrict settings_class to an explicit allowlist of legitimate settings classes.

Evidence notes

CVE published 2026-05-19; modified 2026-05-20. Fix released in CtrlPanel 1.2.0. CVSS 6.6 (Medium) per NVD vector CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H.

Official resources